9  Regulations

9.1 Key regulations

1. Privacy Act 1988:
   • Governs the collection, use, storage, and disclosure of personal information in Australia.
   • Includes the Australian Privacy Principles (APPs) that set standards for handling personal data.
   • Federal Law
2. Copyright Act 1968:
   • Protects the rights of creators and owners of original works, including software and digital content.
   • Addresses issues related to unauthorized copying, adaptation, and distribution of copyrighted materials.
   • Federal Law
3. Privacy and Data Protection Act 2014:
   • Applies to the Victorian public sector and outlines requirements for the protection of personal information and data security.
   • Focuses on the responsible handling and storage of personal data to prevent unauthorized access and breaches.
4. Health Records Act 2001:
   • Regulates the collection and handling of health information in Victoria.
   • Ensures the privacy and confidentiality of personal health records.

9.2 Overview of Factors Affecting Legislative Impact on Organisations

9.2.1 1. Type of Organisation

• Factor Summary: Whether the organisation is private or government can affect which regulations apply.
• Applicable Regulations:
  • Privacy Act 1988: Applies to private sector organisations with an annual turnover of more than $3 million and some smaller organisations, such as those handling sensitive health information.
  • Health Records Act 2001: Relevant for organisations that handle health records, including both private and public sector entities in Victoria.
  • Privacy and Data Protection Act 2014: Applies primarily to Victorian public sector agencies.
• Impact and Penalties:
  • Non-compliance can result in investigations, enforceable undertakings, and monetary penalties by the Office of the Australian Information Commissioner (OAIC).

9.2.2 2. Annual Earnings

• Factor Summary: Organisations earning over $3 million annually are generally subject to more stringent regulations.
• Applicable Regulations:
  • Privacy Act 1988: Typically applies to organisations with an annual turnover exceeding $3 million.
• Impact and Penalties:
  • Organisations may face significant fines for non-compliance, potentially reaching up to $2.1 million for serious breaches.

9.2.3 3. Location

• Factor Summary: The geographical location of an organisation can determine the jurisdiction of applicable state or federal regulations.
• Applicable Regulations:
  • Privacy and Data Protection Act 2014: Specifically applies to organisations operating in Victoria.
  • Health Records Act 2001: Applicable to entities handling health information in Victoria.
• Impact and Penalties:
  • Location-based regulations may lead to state-specific penalties or requirements, such as those enforced by the Victorian Privacy Commissioner.

9.2.4 4. Nature of Data Handled

• Factor Summary: The type of data managed, such as health records or personal information, can affect which regulations apply.
• Applicable Regulations:
  • Health Records Act 2001: Focuses on organisations handling health-related information.
  • Privacy Act 1988: Covers a wide range of personal information, including sensitive data.
• Impact and Penalties:
  • Penalties can include fines and mandated changes to data handling practices to ensure compliance.

9.2.5 5. Government vs. Private Organisation

• Factor Summary: Government organisations are often subject to specific public sector privacy laws, whereas private organisations follow broader privacy regulations.
• Applicable Regulations:
  • Privacy and Data Protection Act 2014: Targeted at public sector agencies in Victoria.
  • Privacy Act 1988: Governs private sector organisations handling personal information.
• Impact and Penalties:
  • Breaches in government organisations may result in increased scrutiny and specific sanctions related to public accountability.

9.3 Privacy Act 1988 Summary

The Privacy Act 1988 is a critical Australian law governing the handling of personal information. Here is a concise summary from Chapter 4 with key points:

Original Scope and Amendments:

• Initially applied to government agencies.
• Expanded through the Privacy Amendment (Enhancing Privacy Protection) Bill 2012.
• Addresses modern data handling and global data flows.

Application:

• Applies to both electronic and manual data collection.
• Covers private businesses with an annual turnover of $3 million.
• Includes private health services, businesses trading personal information, and those opting in to be covered.

Definitions:

• Personal information includes any data about an identifiable individual.
• Extended to cover biometric and genetic data, philosophical beliefs, and sexual orientation.

Rights and Protections:

• Individuals have the right to know the purpose of data collection.
• Can opt-out of direct marketing, access, and correct personal data.
• Penalties for breaches reach $340,000 for individuals and $1.7 million for organizations.

Australian Privacy Principles (APPs):

• Supported by the APPs, which set standards for personal information handling.
• Mainly targets federal government agencies, private health providers, and large businesses.

9.4 Privacy and Data Protection Act 2014 Summary

The Privacy and Data Protection Act 2014 (PDPA) was introduced by the Victorian Government to enhance the protection of personal information and data held by Victorian government agencies, local councils, and contractors working for the State Government. Here are the key points:

Replacement of Previous Acts:

• The PDPA replaced the Information Privacy Act 2000 and the Commissioner for Law Enforcement Security Act 2005.

Single Privacy Framework:

• The PDPA establishes a unified privacy and data protection framework for Victorian government agencies, using its own set of Information Privacy Principles (IPPs). These principles guide how personal information should be handled.

Establishment of a Commissioner:

• The Act led to the creation of the Privacy and Data Protection Commissioner, responsible for overseeing compliance with the IPPs.

Information Privacy Principles (IPPs):

• While the Australian Privacy Principles (APPs) were introduced in federal legislation, Victoria continues to use its IPPs under the PDPA.

Obligations of Organizations:

• Organizations are required to act in accordance with the IPPs, ensuring the protection and proper handling of personal information.

Scope of the Act:

• The PDPA applies to data held by government agencies, emphasizing the importance of safeguarding personal information against unauthorized access and misuse.

9.4.1 Information Privacy Principles (IPPs)

1. Collection of Personal Information:

• Organisations should only collect information that is necessary for their functions or activities. They must inform individuals that their information is being collected and how it will be used.

2. Use and Disclosure of Personal Information:

• Personal information should only be used or disclosed for the primary purpose for which it was collected, or for a related secondary purpose that the individual would reasonably expect. Consent is required for other uses.

3. Data Quality:

• Organisations must take reasonable steps to ensure that the personal information they collect, use, or disclose is accurate, complete, and up-to-date.

4. Data Security:

• Organisations must protect personal information from misuse, loss, unauthorized access, modification, or disclosure. They should take steps to destroy or de-identify personal information that is no longer needed.

5. Openness:

• Organisations must be transparent about their personal information management policies and practices. They should provide this information to anyone who requests it.

6. Access and Correction:

• Individuals have the right to access the personal information an organisation holds about them and to request corrections if the information is inaccurate, incomplete, or outdated.

7. Unique Identifiers:

• Organisations should only use unique identifiers, such as numbers, when necessary for efficient functioning. The use of government identifiers, like tax file numbers, is restricted.

8. Anonymity:

• Where possible and lawful, individuals should have the option of not identifying themselves when interacting with organisations.

9. Transborder Data Flows:

• Personal information transferred outside Victoria must be protected by laws or binding schemes substantially similar to the IPPs.

10. Sensitive Information:

• Organisations must not collect sensitive information, such as health data or political opinions, unless required by law or with the individual’s consent.

9.5 Health Records Act 2001 Summary

The Health Records Act 2001 is legislation enacted in Victoria, Australia, to regulate the collection, handling, and privacy of health information. Here are the key aspects:

Purpose and Scope:

• Designed to protect the privacy of individuals’ health information.
• Applies to both public and private sector health services in Victoria.
• Allows individuals to access their medical information and establishes privacy principles for health records.

Health Privacy Principles (HPPs):

1. Collection:

   • Health information should only be collected if necessary for a specific function or activity and with the individual’s consent.
   • Individuals must be notified about the collection and usage of their information.

2. Use and Disclosure:

   • Information should only be used or disclosed for the primary purpose for which it was collected or for a directly related purpose that the individual would reasonably expect.
   • Consent is required for any other uses.

3. Data Quality:

   • Reasonable steps must be taken to ensure that the health information is accurate, complete, up-to-date, and relevant.

4. Data Security and Retention:

   • Health information must be protected against misuse, loss, unauthorized access, and modification.
   • Information should only be destroyed or de-identified according to legal requirements.

5. Openness:

   • Organizations must have transparent policies regarding the management of health information and make them available upon request.

6. Access and Correction:

   • Individuals have the right to access their health information and correct it if it is inaccurate, incomplete, misleading, or not up-to-date.

7. Identifiers:

   • Unique identifiers for individuals should only be assigned when necessary for the organization’s efficient functioning.

8. Anonymity:

   • Where lawful and practicable, individuals should have the option to remain anonymous in their transactions with organizations.

9. Transborder Data Flows:

   • Health information should only be transferred outside Victoria if the receiving entity is subject to laws substantially similar to the HPPs.

10. Transfer/Closure of Practice:

• Health service providers must notify individuals if their practice is being sold, transferred, or closed, ensuring continuity of care.

11. Making Information Available to Another Health Service Provider:

• Facilitates the transfer of information to another provider when necessary for ongoing care.

Compliance and Penalties:

• Individuals can make complaints to the Health Services Commissioner if they believe their rights under the Act have been breached.
• Organizations in breach may face penalties, including compliance notices to correct procedures.

9.6 Copyright Act 1968 Summary

The Copyright Act 1968 is a federal law in Australia that protects the rights of creators of original works by establishing legal protections for their intellectual property. Here are the key aspects:

Purpose and Scope:

• The Act recognizes that original creative or artistic works are the property of the creator.
• It covers literary, dramatic, musical, and artistic works, as well as software, websites, and electronically recorded music, films, and books.

Copyright Protection:

• Copyright protection is automatic once an original work is created and recorded.
• The Act does not cover ideas, concepts, styles, techniques, information, names, titles, slogans, people, or images of people.
• Registration is not required, but using a copyright symbol is recommended.

Rights of Copyright Holders:

• Copyright holders have exclusive rights to reproduce, publish, perform, communicate, and adapt their works.
• The law prohibits unauthorized reproduction, conversion, adaptation, transmission, or publication of copyrighted material.

Legal Implications:

• Infringements can result in fines up to $117,000 and/or up to five years imprisonment for individuals, and up to $585,000 for organizations.
• Employees infringing copyright at work may share liability with their employers.

Amendments and Developments:

• The Act has been amended by the Copyright Amendment (Digital Agenda) Act 2000, the Copyright Amendment Act 2006, and the Australia–United States Free Trade Agreement (AUSFTA) to cover digital and online content.
• The Act was further amended in 2015 to incorporate measures against online infringement.

Fair Use and Exceptions:

• There are limited exceptions allowing the use of intellectual property for education, review, satire, or fair use.
• New exemptions allow personal use, such as copying music for personal devices, within specific conditions.